Blog: Why Dropbox wasn't really 'hacked'

News broke last week that "Dropbox had been hacked" - that 7 million user's passwords had been published. One's first reaction is that of disbelief - that a company so important and trusted by so many people could have insufficient security that such a thing could happen. Security and trust is the basis of their business model - without that, there is no Dropbox.

A few years ago, online services were more hackable but due to the number of high profile breaches, everyone has been upping their game and companies like Dropbox, Google, Facebook are at the forefront of protecting their customers and their business. Most of the high profile hacks of customer data have been of 'bricks-and-mortar companies gone online' rather than new age tech companies which started online. The challenge for these older companies is that they have legacy systems and 3rd party suppliers which were not designed for the new digital age. Security was not baked in from the start. The biggest weakness is often people not the systems.

With companies like Dropbox, hacking and online security were known knowns (is that really now part of the lexicon - ed) when the company was formed. That said, even these online companies have been hacked. Dropbox itself did suffer a previous security breach itself in 2012, but according to their statement, that was a result of a staff member's access password being revealed and someone downloading a file of email addresses.

So, back to 2014, and according to reports "7 million Dropbox account names and passwords have been published". It is inconceivable that Dropbox, a modern sophisticated service provider, or any equivalent mass service provider would not salt* and hash* their passwords such that someone would have been able to download a list of passwords (even if they had complete access to the system). There had to be another explanation. There was.

According to Dropbox, some other 3rd party services were hacked - presumably services which did not salt and hash or were compromised some other way and, given those user credentials, the hackers then tried the same username/passwords against Dropbox. Unsurprisingly, in many cases, the same username and password combination also worked on Dropbox. The hackers then collated the list of matching/valid accounts and then published the list.

So, other than verifying that a password worked, Dropbox was not hacked, and it's also unlikely that "seven million" accounts were hacked; at the time of writing the hackers published only 400. Of course, it does depend on your definition of 'hacked'. If someone uses a stolen username and password to access a service, that is technically hacking, but it's not due to any flaw in the service itself which means that every user isn't at risk.

Passwords can also be stolen by entrusting your user credentials to 3rd party apps, a method used to steal Snapchat account passwords. The theft of celebrity selfies apparently from Apple's iCloud was blamed on the users - Apple suggested that the users had used poorly chosen passwords or easy to guess security questions.

The important point here is that this incident highlights the tedious but essential practice of using different and strong passwords for all of your online (and offline!) services. This is one of the vital recommendations in our guide "The 27 Things every router user should know".

*Hashing (or a 'one way hash') is a way of encrypting and storing user passwords such that when a user enters their password, the algorithm can confirm if the password is correct (produces the same hash as is stored) but the actual password itself it not stored - the hash cannot be converted back to the password. 'Salting' is just a method of using a random seed, which prevents the reversal. Hashing without salting is not considered secure

Note : This article is an editorial piece and does not necessarily reflect the views of DrayTek Corp, its staff or any associated person or company. The information is provided in good faith based on publicly available information however has not been independently verified. As such, no reliance, commercial or otherwise should be placed on the information which is provided for discussion or interest only.

Important Notice : This is an editorial opinion piece and does not necessarily reflect the views of DrayTek Corp. Information contained is presented in good faith as a topic of discussion, based on information in the public domain. No warranty is given of the accuracy of 3rd party reports relied upon, or the accuracy of information provided. If you believe anything to be in error, please contact us immediately for review and correction where appropriate. Any links to 3rd party sites are provided as a courtesy and the content of those sites are outside of our control; no warranty is given of the accuracy of any external sites.

Comments

From: SecOps09/01/2015

Isn't this about the weakest link ? Wherever it may be - A third party, an employee or an infrastructural vulnerability. And It's not about the number (7 million or 400); the focus here should be the data that is at risk due to hacked/lost/stolen accounts. What if one of those 400 was your account ? Google/Twitter/Dropbox etc. can not be complacent when they trust third parties to process their customer data.

From: DrayTek - Michael.11/12/2014

Then the service would be unable to communicate with you. If someone sends you a file by Dropbox, you want notification. If it was a disposable email address you'd never know...plus you'd have to remember dozens of addresses, and be unable to retrieve/reset your password if you forgot it. Finally, most services expect/require you to use permanently valid credentials. No, the answer is simply just to use unique and strong passwords.

From: William Old10/12/2014

The approach taken by the party responsible for the "breach" highlights yet another advantage of using "one-time" e-mail addresses, i.e. giving a unique, traceable e-mail address to each of your e-mail addressees. Whether the matching of the username/password combinations was automated or manually achieved, it's more than likely that it was the e-mail address of the user that was used to achieve the linking, and of course if there isn't a match, the link isn't likely to be made.

Add a comment to this article

In the below box, you can add comments which you consider might be helpful to other users reading this article:

(As you'd like it to appear on the comment)

NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.

DrayTek is the leading manufacturer of business class broadband and networking solutions. These help consumers and businesses save money and improve efficiency by exploiting the full potential of the Internet. The product range includes routers, firewalls, PBXs, IP Phones, switches and wireless access points.